fix: pipeline fix for Import image to acr (Azure#3714)

## Description Adds AVM common type and fixes the pipeline Closes Azure#3695 ## Pipeline Reference  | Pipeline | | -------- | | [![avm.ptn.deployment-script.import-image-to-acr](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.deployment-script.import-image-to-acr.yml/badge.svg?branch=import-image-to-acr-udt)](https://github.com/ReneHezser/bicep-registry-modules/actions/workflows/avm.ptn.deployment-script.import-image-to-acr.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [x] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings
pankajagrawal16 · Nov 4, 2024 · 7093ac1 · 7093ac1
1 parent fb765f1
commit 7093ac1
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 34 deletions.
diff --git a/avm/ptn/deployment-script/import-image-to-acr/README.md b/avm/ptn/deployment-script/import-image-to-acr/README.md
@@ -393,13 +393,13 @@ The managed identity definition for this resource. Required if `assignRbacRole`
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
-| [`userAssignedResourcesIds`](#parameter-managedidentitiesuserassignedresourcesids) | array | The resource ID(s) to assign to the resource. |
+| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. |
 
-### Parameter: `managedIdentities.userAssignedResourcesIds`
+### Parameter: `managedIdentities.userAssignedResourceIds`
 
-The resource ID(s) to assign to the resource.
+The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.
 
-- Required: Yes
+- Required: No
 - Type: array
 
 ### Parameter: `managedIdentityName`
@@ -497,6 +497,7 @@ The password for the source registry. Required if the source registry is private
 - Required: No
 - Type: securestring
 - Default: `''`
+- Example: `keyVault.getSecret("keyVaultSecretName")`
 
 ### Parameter: `sourceRegistryUsername`
 
@@ -550,6 +551,7 @@ This section gives you an overview of all local-referenced module files (i.e., o
 | Reference | Type |
 | :-- | :-- |
 | `br/public:avm/res/resources/deployment-script:0.4.0` | Remote reference |
+| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference |
 
 ## Notes
 

diff --git a/avm/ptn/deployment-script/import-image-to-acr/main.bicep b/avm/ptn/deployment-script/import-image-to-acr/main.bicep
@@ -20,8 +20,9 @@ param runOnce bool = false
 @description('Optional. If set, the `Contributor` role will be granted to the managed identity (passed by the `managedIdentities` parameter or create with the name specified in parameter `managedIdentityName`), which is needed to import images into the Azure Container Registry. Defaults to `true`.')
 param assignRbacRole bool = true
 
+import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm-common-types:0.2.1'
 @description('Conditional. The managed identity definition for this resource. Required if `assignRbacRole` is `true` and `managedIdentityName` is `null`.')
-param managedIdentities managedIdentitiesType?
+param managedIdentities managedIdentityOnlyUserAssignedType?
 
 @description('Conditional. Name of the Managed Identity resource to create. Required if `assignRbacRole` is `true` and `managedIdentities` is `null`. Defaults to `id-ContainerRegistryImport`.')
 param managedIdentityName string?
@@ -41,6 +42,7 @@ param sourceRegistryUsername string = ''
 
 @description('Optional. The password for the source registry. Required if the source registry is private, or to logon to the public docker registry.')
 @secure()
+@metadata({ example: 'keyVault.getSecret("keyVaultSecretName")' })
 param sourceRegistryPassword string = ''
 
 @description('Optional. The new image name in the ACR. You can use this to import a publically available image with a custom name for later updating from e.g., your build pipeline.')
@@ -87,7 +89,7 @@ param tags object?
 // Variables      //
 // ============== //
 
-var useExistingManagedIdentity = length(managedIdentities.?userAssignedResourcesIds ?? []) > 0
+var useExistingManagedIdentity = length(managedIdentities.?userAssignedResourceIds ?? []) > 0
 
 // ============== //
 // Resources      //
@@ -118,7 +120,7 @@ resource acr 'Microsoft.ContainerRegistry/registries@2023-07-01' existing = {
 
 // needed to "convert" resourceIds to principalId
 resource existingManagedIdentities 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = [
-  for resourceId in (managedIdentities.?userAssignedResourcesIds ?? []): if (assignRbacRole) {
+  for resourceId in (managedIdentities.?userAssignedResourceIds ?? []): if (assignRbacRole) {
     name: last(split(resourceId, '/'))
     scope: resourceGroup(split(resourceId, '/')[2], split(resourceId, '/')[4]) // get the resource group from the managed identity, as it could be in another resource group
   }
@@ -132,7 +134,7 @@ resource newManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@20
 
 // assign the Contributor role to the managed identity (new or existing) to import images into the ACR
 resource acrRoleAssignmentExistingManagedIdentities 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
-  for i in range(0, length(assignRbacRole ? (managedIdentities.?userAssignedResourcesIds ?? []) : [])): if (useExistingManagedIdentity && assignRbacRole) {
+  for i in range(0, length(assignRbacRole ? (managedIdentities.?userAssignedResourceIds ?? []) : [])): if (useExistingManagedIdentity && assignRbacRole) {
     name: guid('roleAssignment-acr-${existingManagedIdentities[i].name}')
     scope: acr
     properties: {
@@ -166,7 +168,8 @@ module imageImport 'br/public:avm/res/resources/deployment-script:0.4.0' = {
     location: location
     tags: tags
     managedIdentities: useExistingManagedIdentity
-      ? managedIdentities
+      // ? managedIdentities // once the referenced module is using the common type
+      ? { userAssignedResourcesIds: managedIdentities.?userAssignedResourceIds! }
       : { userAssignedResourcesIds: [newManagedIdentity.id] }
     kind: 'AzureCLI'
     runOnce: runOnce
@@ -248,8 +251,3 @@ type importedImageType = {
   @description('Required. The image name in the Azure Container Registry.')
   acrHostedImage: string
 }
-
-type managedIdentitiesType = {
-  @description('Optional. The resource ID(s) to assign to the resource.')
-  userAssignedResourcesIds: string[]
-}
diff --git a/avm/ptn/deployment-script/import-image-to-acr/main.json b/avm/ptn/deployment-script/import-image-to-acr/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.3.12046",
-      "templateHash": "17375159703541878382"
+      "version": "0.30.23.60470",
+      "templateHash": "13499969833198262162"
     },
     "name": "import-image-to-acr",
     "description": "This modules deployes an image to an Azure Container Registry.",
@@ -30,18 +30,25 @@
         }
       }
     },
-    "managedIdentitiesType": {
+    "managedIdentityOnlyUserAssignedType": {
       "type": "object",
       "properties": {
-        "userAssignedResourcesIds": {
+        "userAssignedResourceIds": {
           "type": "array",
           "items": {
             "type": "string"
           },
+          "nullable": true,
           "metadata": {
-            "description": "Optional. The resource ID(s) to assign to the resource."
+            "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption."
           }
         }
+      },
+      "metadata": {
+        "description": "An AVM-aligned type for a managed identity configuration. To be used if only user-assigned identities are supported by the resource provider.",
+        "__bicep_imported_from!": {
+          "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1"
+        }
       }
     }
   },
@@ -87,7 +94,7 @@
       }
     },
     "managedIdentities": {
-      "$ref": "#/definitions/managedIdentitiesType",
+      "$ref": "#/definitions/managedIdentityOnlyUserAssignedType",
       "nullable": true,
       "metadata": {
         "description": "Conditional. The managed identity definition for this resource. Required if `assignRbacRole` is `true` and `managedIdentityName` is `null`."
@@ -122,6 +129,7 @@
       "type": "securestring",
       "defaultValue": "",
       "metadata": {
+        "example": "keyVault.getSecret(\"keyVaultSecretName\")",
         "description": "Optional. The password for the source registry. Required if the source registry is private, or to logon to the public docker registry."
       }
     },
@@ -193,7 +201,7 @@
     }
   },
   "variables": {
-    "useExistingManagedIdentity": "[greater(length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())), 0)]"
+    "useExistingManagedIdentity": "[greater(length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())), 0)]"
   },
   "resources": {
     "avmTelemetry": {
@@ -225,15 +233,15 @@
     "existingManagedIdentities": {
       "copy": {
         "name": "existingManagedIdentities",
-        "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()))]"
+        "count": "[length(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()))]"
       },
       "condition": "[parameters('assignRbacRole')]",
       "existing": true,
       "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
       "apiVersion": "2023-01-31",
-      "subscriptionId": "[split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[copyIndex()], '/')[2]]",
-      "resourceGroup": "[split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[copyIndex()], '/')[4]]",
-      "name": "[last(split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[copyIndex()], '/'))]"
+      "subscriptionId": "[split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[copyIndex()], '/')[2]]",
+      "resourceGroup": "[split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[copyIndex()], '/')[4]]",
+      "name": "[last(split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[copyIndex()], '/'))]"
     },
     "newManagedIdentity": {
       "condition": "[and(not(variables('useExistingManagedIdentity')), parameters('assignRbacRole'))]",
@@ -246,22 +254,22 @@
     "acrRoleAssignmentExistingManagedIdentities": {
       "copy": {
         "name": "acrRoleAssignmentExistingManagedIdentities",
-        "count": "[length(range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), createArray()))))]"
+        "count": "[length(range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), createArray()))))]"
       },
       "condition": "[and(variables('useExistingManagedIdentity'), parameters('assignRbacRole'))]",
       "type": "Microsoft.Authorization/roleAssignments",
       "apiVersion": "2022-04-01",
       "scope": "[format('Microsoft.ContainerRegistry/registries/{0}', parameters('acrName'))]",
-      "name": "[guid(format('roleAssignment-acr-{0}', last(split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray())[range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), createArray())))[copyIndex()]], '/'))))]",
+      "name": "[guid(format('roleAssignment-acr-{0}', last(split(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray())[range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), createArray())))[copyIndex()]], '/'))))]",
       "properties": {
-        "principalId": "[reference(format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), createArray())))[copyIndex()])).principalId]",
+        "principalId": "[reference(format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), createArray())))[copyIndex()])).principalId]",
         "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]",
         "principalType": "ServicePrincipal"
       },
       "dependsOn": [
         "acr",
-        "[format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), createArray())))[copyIndex()])]",
-        "[format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourcesIds'), createArray()), createArray())))[copyIndex()])]"
+        "[format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), createArray())))[copyIndex()])]",
+        "[format('existingManagedIdentities[{0}]', range(0, length(if(parameters('assignRbacRole'), coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), createArray())))[copyIndex()])]"
       ]
     },
     "acrRoleAssignmentNewManagedIdentity": {
@@ -299,7 +307,7 @@
           "tags": {
             "value": "[parameters('tags')]"
           },
-          "managedIdentities": "[if(variables('useExistingManagedIdentity'), createObject('value', parameters('managedIdentities')), createObject('value', createObject('userAssignedResourcesIds', createArray(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', coalesce(parameters('managedIdentityName'), 'id-ContainerRegistryImport'))))))]",
+          "managedIdentities": "[if(variables('useExistingManagedIdentity'), createObject('value', createObject('userAssignedResourcesIds', tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'))), createObject('value', createObject('userAssignedResourcesIds', createArray(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', coalesce(parameters('managedIdentityName'), 'id-ContainerRegistryImport'))))))]",
           "kind": {
             "value": "AzureCLI"
           },

diff --git a/avm/ptn/deployment-script/import-image-to-acr/tests/e2e/max/main.test.bicep b/avm/ptn/deployment-script/import-image-to-acr/tests/e2e/max/main.test.bicep
@@ -72,7 +72,7 @@ module testDeployment '../../../main.bicep' = [
       newImageName: 'application/your-image-name:tag'
       cleanupPreference: 'OnExpiration'
       assignRbacRole: true
-      managedIdentities: { userAssignedResourcesIds: [dependencies.outputs.managedIdentityResourceId] }
+      managedIdentities: { userAssignedResourceIds: [dependencies.outputs.managedIdentityResourceId] }
       overwriteExistingImage: true
       storageAccountResourceId: dependencies.outputs.storageAccountResourceId
       subnetResourceIds: [dependencies.outputs.deploymentScriptSubnetResourceId]

diff --git a/avm/ptn/deployment-script/import-image-to-acr/tests/e2e/waf-aligned/main.test.bicep b/avm/ptn/deployment-script/import-image-to-acr/tests/e2e/waf-aligned/main.test.bicep
@@ -55,7 +55,7 @@ module testDeployment '../../../main.bicep' = [
       acrName: dependencies.outputs.acrName
       image: 'mcr.microsoft.com/k8se/quickstart-jobs:latest'
       overwriteExistingImage: true
-      managedIdentities: { userAssignedResourcesIds: [dependencies.outputs.managedIdentityResourceId] }
+      managedIdentities: { userAssignedResourceIds: [dependencies.outputs.managedIdentityResourceId] }
     }
   }
 ]
diff --git a/avm/ptn/deployment-script/import-image-to-acr/version.json b/avm/ptn/deployment-script/import-image-to-acr/version.json
@@ -1,6 +1,6 @@
 {
   "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-  "version": "0.3",
+  "version": "0.4",
   "pathFilters": [
     "./main.json"
   ]